Cyber Incident Victim: ADRA International
Date:
May 2020
Location:
United States of America
Summary
ADRA International was impacted by a ransomware attack targeting Blackbaud's cloud database, resulting in potential exposure of supporters' personal and financial data including names, addresses, phone numbers, dates of birth, donation histories, credit card details, and bank account information. The breach stemmed from unencrypted data fields within Blackbaud's systems, contradicting initial assurances that sensitive information remained protected. Multiple affected organizations independently confirmed inconsistencies in Blackbaud's disclosures, with investigations revealing unauthorized access to government-issued identification numbers, Social Security numbers, and banking credentials that the vendor had claimed were secured. This incident highlighted systemic vulnerabilities in Blackbaud's data protection practices, as multiple entities discovered sensitive donor information remained unencrypted in uploaded documents and form fields despite the vendor's encryption assertions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Blackbaud data breach, discovered in May 2020, involved unauthorized access to the cloud-based customer relationship management platform used by numerous non-profit and educational institutions, including ADRA International. Threat actors deployed ransomware after exfiltrating data from Blackbaud's systems. Blackbaud paid the ransom in exchange for the attackers' purported destruction of the stolen data, though the company initially claimed no sensitive information like Social Security numbers, bank account details, or credit card data had been compromised. ADRA International’s September 29 notification revealed the breach potentially exposed supporters’ personal data, including names, addresses, phone numbers, dates of birth, giving history, credit card information, and bank account details. Multiple organizations subsequently identified discrepancies between Blackbaud’s initial assurances and their own forensic findings, with MacDowell confirming threat actors accessed unencrypted fields containing driver’s license and government ID numbers due to an encryption oversight by Blackbaud.
Further investigations by affected entities uncovered systemic issues with Blackbaud’s data handling. The Latin School of Chicago determined uploaded forms containing Social Security numbers remained unencrypted, contrary to Blackbaud’s general encryption claims for sensitive fields. Scholarship America and Shady Hill School similarly reported unauthorized access to unencrypted sensitive data. By late September 2020, Blackbaud revised its stance, acknowledging the cybercriminals may have accessed unencrypted fields storing bank account information, Social Security numbers, usernames, and passwords for some customers, though it continued to deny exposure of credit cardholder data. Organizations like St. Bonaventure University and Perez Art Museum of Miami independently confirmed potential compromises of bank routing numbers and account details, while Ball State University found files containing Social Security numbers might have been accessed despite asserting such data was not stored in their system. ADRA International and other impacted entities notified affected individuals but faced challenges reconciling Blackbaud’s evolving statements with their own data assessments, leading to varied responses including supplemental support offers for high-risk cases.